Re: Empty but existing resource | Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt

Mike Bishop <Michael.Bishop@microsoft.com> Fri, 07 October 2016 05:54 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FAC4129447 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 6 Oct 2016 22:54:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.016
X-Spam-Level:
X-Spam-Status: No, score=-10.016 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DVhIF4egAYXb for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 6 Oct 2016 22:54:02 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD24E127078 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 6 Oct 2016 22:54:02 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bsO2Y-0007Bd-VN for ietf-http-wg-dist@listhub.w3.org; Fri, 07 Oct 2016 05:49:51 +0000
Resent-Date: Fri, 07 Oct 2016 05:49:50 +0000
Resent-Message-Id: <E1bsO2Y-0007Bd-VN@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1bsO2S-0007AL-Nu for ietf-http-wg@listhub.w3.org; Fri, 07 Oct 2016 05:49:44 +0000
Received: from mail-cys01nam02on0104.outbound.protection.outlook.com ([104.47.37.104] helo=NAM02-CY1-obe.outbound.protection.outlook.com) by lisa.w3.org with esmtps (TLS1.2:RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1bsO2Q-0005vx-Do for ietf-http-wg@w3.org; Fri, 07 Oct 2016 05:49:44 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ccUb5GkevcHFSI65W9rZBLEWLjYg+O9ONJQ46ZNGqo8=; b=Uc1swaulTGlyygRaeN7L/cCxIHhESQimQSeFdZPks5enEg+Ienrj9KGhy5daKD6fAUVqCHE/ADyifqS2zID7u/7pIL3zWQ0nNz0GteiCQrYe26xQN0311EzQRJ0vsPhCo1ISUMKyg56Le5GQpqynTuKCW2XHPSlfD69zPLfUIyY=
Received: from BN6PR03MB2708.namprd03.prod.outlook.com (10.173.144.15) by BN6PR03MB2705.namprd03.prod.outlook.com (10.173.144.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.649.16; Fri, 7 Oct 2016 05:49:14 +0000
Received: from BN6PR03MB2708.namprd03.prod.outlook.com ([10.173.144.15]) by BN6PR03MB2708.namprd03.prod.outlook.com ([10.173.144.15]) with mapi id 15.01.0649.024; Fri, 7 Oct 2016 05:49:14 +0000
From: Mike Bishop <Michael.Bishop@microsoft.com>
To: Martin Thomson <martin.thomson@gmail.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>
CC: Patrick McManus <mcmanus@ducksong.com>, HTTP working group mailing list <ietf-http-wg@w3.org>
Thread-Topic: Empty but existing resource | Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt
Thread-Index: AQHSHljT6HkhJe/JXU23HQjGh2kOnqCYiSNggADCiQCAAEOIAIAAQCyAgAAOywCAAAixAIAAJB4AgAAN1wCAAH14gIAB0YuAgAAOCYCAAAbQPw==
Date: Fri, 07 Oct 2016 05:49:14 +0000
Message-ID: <BN6PR03MB2708B10DA14691402007A1F587C60@BN6PR03MB2708.namprd03.prod.outlook.com>
References: <20161004160321.DFB4C111E5@welho-filter1.welho.com> <BN6PR03MB27082C2CF4DC3F8F82354FDE87C50@BN6PR03MB2708.namprd03.prod.outlook.com> <201610050451.u954pomK003643@shell.siilo.fmi.fi> <CAOdDvNpRN_trGi23BpqUxmaLoLvom9+Yiew0GkNkhgwvqw4Bew@mail.gmail.com> <CABkgnnVKeqnyqhgL=jx1WqtcByqHes25XDJ684J+rNwvQt+znQ@mail.gmail.com> <201610051336.u95DaAW2020152@shell.siilo.fmi.fi> <CABkgnnVaBVE8mUxuGXYe-WeM_OkiNHcA=egnb1-nOxtdujShfw@mail.gmail.com> <201610051616.u95GGWcI031833@shell.siilo.fmi.fi> <BN6PR03MB2708B42C6964AA22AF8FFDC487C40@BN6PR03MB2708.namprd03.prod.outlook.com> <CABkgnnVJ7VRBH4VeGODkSUXdW9XHs8AjB_M0mm8Kt=nv3djvEg@mail.gmail.com> <201610070421.u974LN2M008845@shell.siilo.fmi.fi>, <CABkgnnWDm3=VyCUzoHjc1VncxsyiZy-m2ieLvp=CzXwXVto7Rg@mail.gmail.com>
In-Reply-To: <CABkgnnWDm3=VyCUzoHjc1VncxsyiZy-m2ieLvp=CzXwXVto7Rg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Bishop@microsoft.com;
x-originating-ip: [25.162.255.132]
x-ms-office365-filtering-correlation-id: b1092eea-660a-4f59-b193-08d3ee75ab82
x-microsoft-exchange-diagnostics: 1; BN6PR03MB2705; 7:5kq3vVIF7httXhHEK3+/N6SRjMjXsg0BS/6Rw05/JLSiRgUK8pVxUvHbNx90JACdGYTUfzwuslelZg+8Pe2JVfSWa0ywnzececsvSO50+83kBeTiiAPBZINuQZDmnZLc9VIMe4J/N2dgiQ5cVBQAYLgIw4NMFpoB9ceUaBEQkMqfi80eBNWcxaT/+IWcXsZ5iJkRIXP3LN/QvvTfpQiV35gR5PcCuYNKNMLir9HkPzCJZHj47XZtilitLSRJyjdQ0+637uXkPppGFUnuj56L1FwCJx3WCzvSfyYwNfbu7ZZ9rMOGfKTRB1TgBK/yV5b3+XOmOy2krkLk9txd56KqGA==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN6PR03MB2705;
x-microsoft-antispam-prvs: <BN6PR03MB2705C31E9F76C24B73751EF287C60@BN6PR03MB2705.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038); SRVR:BN6PR03MB2705; BCL:0; PCL:0; RULEID:; SRVR:BN6PR03MB2705;
x-forefront-prvs: 0088C92887
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(377454003)(189002)(24454002)(199003)(101416001)(76176999)(3280700002)(76576001)(54356999)(122556002)(10290500002)(50986999)(9686002)(230783001)(105586002)(93886004)(99286002)(92566002)(106356001)(3660700001)(10400500002)(106116001)(2900100001)(77096005)(15975445007)(66066001)(5005710100001)(19617315012)(19580405001)(19580395003)(86612001)(10090500001)(2950100002)(16236675004)(33656002)(7906003)(5002640100001)(8990500004)(16601075003)(19625215002)(8936002)(3846002)(102836003)(2906002)(8676002)(6116002)(7696004)(189998001)(7846002)(586003)(4326007)(86362001)(81156014)(11100500001)(5660300001)(87936001)(81166006)(74316002)(68736007)(7736002)(97736004)(5001770100001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR03MB2705; H:BN6PR03MB2708.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN6PR03MB2708B10DA14691402007A1F587C60BN6PR03MB2708namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Oct 2016 05:49:14.4284 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR03MB2705
Received-SPF: pass client-ip=104.47.37.104; envelope-from=Michael.Bishop@microsoft.com; helo=NAM02-CY1-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-1.5
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_NW=0.5
X-W3C-Scan-Sig: lisa.w3.org 1bsO2Q-0005vx-Do fcafd5b2aff5a5a3b9d9c0f064fe69c8
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Empty but existing resource | Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt
Archived-At: <http://www.w3.org/mid/BN6PR03MB2708B10DA14691402007A1F587C60@BN6PR03MB2708.namprd03.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32511
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Fair enough that the Alt-Svc could have been inserted by an attacker that knows that particular server is scheme-insensitive and wants to provoke whatever the misbehavior is.  Validating the agreement over TLS for that reason makes more sense to me.  I still would argue that client SHOULD check for this (not MUST) simply because a client could follow the Alt-Svc header without checking .w-k and be perfectly compliant with RFC 7838.  The client isn't requesting additional functionality via Opp-Sec, but gaining a way to double-check the alternative's intent/ability to play along when the initial reference was vulnerable to meddling.  (Unless we're proposing to update RFC 7838 by adding that MUST?)

While I certainly grant that it's possible for apps above the server layer to handle this incorrectly as well, I think a lot of that gets mitigated if the server layer properly tells the app that the requested URL was http://example.com.  (I believe ours actually overrides the scheme as presented, so an app basically never has the chance to get it right.)  While apps are endlessly creative in ways to get things wrong, your odds are at least much better if the server is capable of delivering the correct requested URL to the application.
________________________________
From: Martin Thomson <martin.thomson@gmail.com>
Sent: Thursday, October 6, 2016 10:11:37 PM
To: Kari Hurtta
Cc: Mike Bishop; Patrick McManus; HTTP working group mailing list
Subject: Re: Empty but existing resource | Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt

On 7 October 2016 at 15:21, Kari Hurtta <hurtta-ietf@elmme-mailer.org> wrote:
> I do not not like existing but empty resource test.
>
> I have seen some instructions (for load balancer)
> that how to convert http 404 to http 200 with empty page
> (or response).

Then insist on it being text that includes the origin.